Sun. Jul 14th, 2024

‘Operation Endgame’ hits malware delivery platforms – Krebs on security

By Vaseline May30,2024

Law enforcement agencies in the United States and Europe made the announcement today Operation Endgame, a coordinated action against some of the most popular cybercrime platforms for spreading ransomware and data-stealing malware. Dubbed “the largest anti-botnet operation ever,” this international effort is being billed as the opening salvo of an ongoing campaign targeting advanced malware “droppers” or “loaders” such as IcedID, Smoke charger And Trickbot.

A frame from one of three animated videos released today in connection with Operation Endgame.

Operation Endgame targets the cybercrime ecosystem that supports droppers/loaders, slang terms used to describe small, custom programs designed to stealthily install malware on a target system. Typically used in the early stages of a breach, droppers allow cybercriminals to bypass security measures and deploy additional malicious programs, including viruses, ransomware, or spyware.

Droppers like IcedID are usually deployed via email attachments, hacked websites, or bundled with legitimate software. For example, cybercriminals have long used paid advertising on Google to trick people into installing malware disguised as popular free software such as Microsoft Teams, Adobe Reader and Discord. In those cases, the dropper is the hidden component bundled with the legitimate software that silently loads malware onto the user’s system.

Droppers remain such a crucial, people-intensive part of almost all major cybercrime enterprises that the most popular ones have morphed into full-fledged cybercrime services of their own. By targeting the individuals who develop and maintain dropper services and the supporting infrastructure, authorities hope to disrupt multiple cybercriminal operations simultaneously.

This is evident from a statement from the European police station EuropolBetween May 27 and 29, 2024, authorities arrested four suspects (one in Armenia and three in Ukraine) and disrupted or took down more than 100 internet servers in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, the United States and Ukraine. Authorities say they have also seized more than 2,000 domain names that support the dropper infrastructure online.

In addition, Europol released information on eight fugitives suspected of involvement in dropper services and wanted by Germany; their names and photos were added to Europol’s “Most Wanted” list on May 30, 2024.

A ‘wanted’ poster with the names and photos of eight suspects wanted by Germany and now on Europol’s ‘Most Wanted’ list.

“The investigation to date has revealed that one of the main suspects has made at least €69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware,” Europol wrote. “The suspect’s transactions are continuously monitored and legal authorization has already been obtained to seize these assets in future actions.”

There have been numerous such coordinated efforts to remove malware in the past, and yet the significant amount of coordination required between law enforcement agencies and involved cybersecurity companies is often not maintained after the initial disruptions and/or arrests.

But a new website set up to chronicle today’s action – – makes it clear that this time it is different and there will be more takedowns and arrests. “Operation Endgame does not end today,” the site promises. “New promotions will be announced on this website.”

A post on promises more law enforcement and disruption actions.

Perhaps realizing that many of today’s top cybercriminals are located in countries effectively beyond the reach of international law enforcement, actions like Operation Endgame appear to increasingly focus on mind games, i.e. deceiving the hackers.

Writing in this month’s issue Wired, Matt Burgess states that Western law enforcement officials have deployed psychological measures as an additional way to slow down Russian hackers and penetrate the core of the vast cybercrime ecosystem.

“These emerging psyops include attempts to erode the limited trust criminals have in each other, driving subtle wedges between fragile hacker egos and sending personalized messages to offenders that indicate they are being watched,” Burgess wrote .

When authorities in the US and Britain announced in February 2024 that they had infiltrated and seized the infrastructure used by the infamous LockBit ransomware gang, they borrowed the existing design of LockBit’s victim-shaming website to instead link to press releases about the takedown, and added a countdown timer that was eventually replaced with the personal information of LockBit’s alleged leader.

The FBI used the existing design on LockBit’s “victim shaming” website to display press releases and free decryption tools.

The Operation Endgame website also includes a countdown timer, which serves to prompt the release of various animated videos that mimic the same type of flashy, short-form advertisements that established cybercriminals often create to promote their services online. At least two of the videos contain a significant amount of text in Russian.

The coordinated takedown follows another law enforcement action this week against what the FBI director called “probably the world’s largest botnet ever.” On Wednesday US Department of Justice (DOJ) announced the arrest of Yun He Wangthe alleged operator of the decade-old online anonymity service 911 S5. The government has also seized 911 S5’s domains and online infrastructure, turning computers running various “free VPN” products into Internet traffic relays that have enabled billions of dollars in online fraud and cybercrime.

Related Post